IDS mailing list archives

Re: Automated IDS Signature Generator?

From: "Anton A. Chuvakin" <anton () chuvakin org>
Date: Wed, 18 Jun 2003 15:38:25 -0400 (EDT)

Is there a utility/function/program that automatically generates an IDS
signature based on a recording of a monitored exploit attempt? For

That's a joke, right? :-)  I suspect that is provably impossible
especially if you will include application exploits and various
configuration abuses.

The obvious questions are, how would thus "utility" know...
1....what part of the whole network traffic session is indeed malicious
(is that the first SYN or what?)
2. ...what part of the malicious traffic session to use for the
signature?
3. ...what part will be repeated in the subsequent attacks?

I am sure there are more questions pending.

Think about it, there is not even a good GUIDE on how to program a HUMAN
to do the above task...

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCI*
     http://www.chuvakin.org
   http://www.info-secure.org


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------

Current thread:

Automated IDS Signature Generator? quakeroats (Jun 18)
- Re: Automated IDS Signature Generator? Anton A. Chuvakin (Jun 19)
- Re: Automated IDS Signature Generator? Stefano Zanero (Jun 19)
- Re: Automated IDS Signature Generator? Christian Kreibich (Jun 22)
- <Possible follow-ups>
- RE: Automated IDS Signature Generator? Kohlenberg, Toby (Jun 18)
- RE: Automated IDS Signature Generator? Kohlenberg, Toby (Jun 19)